The Federal Trade Commission is aiming to bring more EU-U.S. Privacy Shield enforcement actions for significant violations of the cross-border data transfer program, the agency’s consumer protection chief said April 26.
Facebook Inc., 23andMe Inc., and thousands of other U.S. companies rely on the Privacy Shield program to move EU citizen data freely from Europe to the U.S.. The Commerce Department works with the FTC to enforce data protection principles under the program to ensure companies are providing adequate privacy protections for EU citizens’ data.
The FTC reviews Privacy Shield compliance in every investigation, but has yet to hold any company in violation of the program’s principles. That may change, now that lead FTC officials are signaling greater scrutiny of larger alleged cross-border data transfer privacy failures.
There are a group of cases the FTC is “looking at right now and they include” alleged substantive violations of the Privacy Shield program rules, Andrew Smith, director of the agency’s Bureau of Consumer Protection, said in an April 26 interview. It has been “a goal” of the FTC “to bring more” actions that show “substantial violations” of the Privacy Shield, he said.
Smith, though, doesn’t expect a deluge of Privacy Shield enforcement actions right away because they “are hard to bring.” The agency will take Privacy Shield enforcement cases as the FTC finds them.
The program and other transfer mechanisms, including standard contracts and binding corporate rules, govern $260 billion in transatlantic data transfers annually, Bloomberg data show.
The agency has brought a handful of Privacy Shield enforcement actions for technical violations of the program. The commission alleged companies didn’t properly register for the program, or didn’t have accurate privacy policies reflecting their program status.
Privacy Shield participants should review their privacy policies and other compliance requirements if the agency follows through on its promise to bring more substantial cases.